aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-05-2022 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe
Size

4.3MB
MD5

34fd6dbb11b1cbf0d235612d6747678e
SHA1

517cf5249f6245075e1d911a3b539114beb50f71
SHA256

aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995
SHA512

6e5f0a914f43cf32445e70e01bae4840b2ccb17424b99be83dea39b1649951b2e7854de63d68f6ad16b9668d8e83b0d5f8f05d1769b3327349aa8b18c0dc3918

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

iAmazon.exeExec.exeExec.exe

pid process

1368 iAmazon.exe
524 Exec.exe
1552 Exec.exe

pid	process
1368	iAmazon.exe
524	Exec.exe
1552	Exec.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1108 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

472 powershell.exe
2004 powershell.exe
1088 powershell.exe
1660 powershell.exe
2040 powershell.exe
1444 powershell.exe
1480 powershell.exe

pid	process
1108	schtasks.exe

pid	process
472	powershell.exe
2004	powershell.exe
1088	powershell.exe
1660	powershell.exe
2040	powershell.exe
1444	powershell.exe
1480	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeiAmazon.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1368	iAmazon.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exetaskeng.exeExec.exeExec.exe

description	pid	process	target process
PID 884 wrote to memory of 1108	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	schtasks.exe
PID 884 wrote to memory of 1108	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	schtasks.exe
PID 884 wrote to memory of 1108	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	schtasks.exe
PID 884 wrote to memory of 2040	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 2040	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 2040	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 2004	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 2004	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 2004	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1152	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1152	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1152	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 472	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 472	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 472	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1660	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1660	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1660	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1088	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1088	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1088	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	powershell.exe
PID 884 wrote to memory of 1368	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	iAmazon.exe
PID 884 wrote to memory of 1368	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	iAmazon.exe
PID 884 wrote to memory of 1368	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	iAmazon.exe
PID 884 wrote to memory of 1368	884	aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe	iAmazon.exe
PID 1364 wrote to memory of 524	1364	taskeng.exe	Exec.exe
PID 1364 wrote to memory of 524	1364	taskeng.exe	Exec.exe
PID 1364 wrote to memory of 524	1364	taskeng.exe	Exec.exe
PID 524 wrote to memory of 1444	524	Exec.exe	powershell.exe
PID 524 wrote to memory of 1444	524	Exec.exe	powershell.exe
PID 524 wrote to memory of 1444	524	Exec.exe	powershell.exe
PID 1364 wrote to memory of 1552	1364	taskeng.exe	Exec.exe
PID 1364 wrote to memory of 1552	1364	taskeng.exe	Exec.exe
PID 1364 wrote to memory of 1552	1364	taskeng.exe	Exec.exe
PID 1552 wrote to memory of 1480	1552	Exec.exe	powershell.exe
PID 1552 wrote to memory of 1480	1552	Exec.exe	powershell.exe
PID 1552 wrote to memory of 1480	1552	Exec.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe
"C:\Users\Admin\AppData\Local\Temp\aff15f407cb77bbe07961830f4e94f8dab637ee9f02aaba76c2e4941f0d43995.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /TN Exec /tr C:\Users\Admin\AppData\Local\Temp\Exec.exe
2⤵
- Creates scheduled task(s)
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -File C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\CLP.PS1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -File C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\Sys32.PS1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users" -Force
2⤵
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\iAmazon.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\iAmazon.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\taskeng.exe
taskeng.exe {57DA7AFE-86DA-4378-846C-11C746FA4694} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\Exec.exe
C:\Users\Admin\AppData\Local\Temp\Exec.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -File C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\Sys32.PS1
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Users\Admin\AppData\Local\Temp\Exec.exe
C:\Users\Admin\AppData\Local\Temp\Exec.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -File C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\Sys32.PS1
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Exec.exe
Filesize
4KB

MD5
3cfa7f939c72e8e1d69011e9609ee54b

SHA1
eb7af8d25ae63b348c0b665e0d6f2455420fa576

SHA256
ed00fbb5f5ca89cd4e81584a6604b689c65f6b16c7f69627a18abac73e70a14f

SHA512
8591fc11d697a3eb6d07fdfd0d40e353d25a049480606e0653cf3a036ede5f5229d69f3bde30b5dfec6d193b5d7d4df33f4e08e678d46b23eae1c95ceef3f0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exec.exe
Filesize
4KB

MD5
3cfa7f939c72e8e1d69011e9609ee54b

SHA1
eb7af8d25ae63b348c0b665e0d6f2455420fa576

SHA256
ed00fbb5f5ca89cd4e81584a6604b689c65f6b16c7f69627a18abac73e70a14f

SHA512
8591fc11d697a3eb6d07fdfd0d40e353d25a049480606e0653cf3a036ede5f5229d69f3bde30b5dfec6d193b5d7d4df33f4e08e678d46b23eae1c95ceef3f0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exec.exe
Filesize
4KB

MD5
3cfa7f939c72e8e1d69011e9609ee54b

SHA1
eb7af8d25ae63b348c0b665e0d6f2455420fa576

SHA256
ed00fbb5f5ca89cd4e81584a6604b689c65f6b16c7f69627a18abac73e70a14f

SHA512
8591fc11d697a3eb6d07fdfd0d40e353d25a049480606e0653cf3a036ede5f5229d69f3bde30b5dfec6d193b5d7d4df33f4e08e678d46b23eae1c95ceef3f0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\CLP.PS1
Filesize
81KB

MD5
dd89352a77b2032e1f2bbfc458573525

SHA1
14208f50e67217f0396996da1e8e68be40171591

SHA256
d36911b3311d4d5603335c534622f1ca96c5181ab82e49fc90146e7806c49a52

SHA512
9d14b75650334c6e054e550cccfcfb4f7a77393227e59979bbccea2d4aa679b5a34638dc23bb19e94a772072649be4a591b4c93aa869dcc9326825f3d22f3009

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\Sys32.PS1
Filesize
120KB

MD5
716ed1eb9f6360328e92030d98496a46

SHA1
1ed50ee40df7602a1adae5c4c763bc2a30033c2a

SHA256
ac2c566783be636007299a27e8f3e79d2bc2d5931150ac5b6bc7aa031b9e4d4f

SHA512
e2c1a1012f1f1241dee507fb8c1a46bf16d297d7692e77efb77ef04c6658e5499f5cc925a53436aad842ae76c86bcab3115274d57d9b5dcf892f1194f1f09ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\iAmazon.exe
Filesize
2.8MB

MD5
d1030184711310725a604d31173362cc

SHA1
dc4b1c4b10361e322a6226f3f1e0f1121f0a9593

SHA256
73cd2bde631726e737fcdbd54b596ff3c39acce30caaf4181a2f32277955dd08

SHA512
3effff70c9f576406fa231c516c8917c7019675a253bd9bdfef88e7f048c1f77b77229795dbb4f83760f08fff5323e0b854e54a8b9730003865996f970acbc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\iAmazon.exe
Filesize
2.8MB

MD5
d1030184711310725a604d31173362cc

SHA1
dc4b1c4b10361e322a6226f3f1e0f1121f0a9593

SHA256
73cd2bde631726e737fcdbd54b596ff3c39acce30caaf4181a2f32277955dd08

SHA512
3effff70c9f576406fa231c516c8917c7019675a253bd9bdfef88e7f048c1f77b77229795dbb4f83760f08fff5323e0b854e54a8b9730003865996f970acbc94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8cc43305093e4fee7779cd728fe54df4

SHA1
c9a621a03557b68b3e2a437cb6876db235bc7736

SHA256
fa5e6b5ddc32187be3da77999771adba2ba7df103b6ea946e69854ac7fb515ae

SHA512
e3cf80664a33bcfe0cf58cfdbd67f2cd0b96b8695c2681e8e157f03ee584ead00c391e41058bb54efd6d124e193275bc1b60838bb70b392895cf23feb1794ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8cc43305093e4fee7779cd728fe54df4

SHA1
c9a621a03557b68b3e2a437cb6876db235bc7736

SHA256
fa5e6b5ddc32187be3da77999771adba2ba7df103b6ea946e69854ac7fb515ae

SHA512
e3cf80664a33bcfe0cf58cfdbd67f2cd0b96b8695c2681e8e157f03ee584ead00c391e41058bb54efd6d124e193275bc1b60838bb70b392895cf23feb1794ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8cc43305093e4fee7779cd728fe54df4

SHA1
c9a621a03557b68b3e2a437cb6876db235bc7736

SHA256
fa5e6b5ddc32187be3da77999771adba2ba7df103b6ea946e69854ac7fb515ae

SHA512
e3cf80664a33bcfe0cf58cfdbd67f2cd0b96b8695c2681e8e157f03ee584ead00c391e41058bb54efd6d124e193275bc1b60838bb70b392895cf23feb1794ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8cc43305093e4fee7779cd728fe54df4

SHA1
c9a621a03557b68b3e2a437cb6876db235bc7736

SHA256
fa5e6b5ddc32187be3da77999771adba2ba7df103b6ea946e69854ac7fb515ae

SHA512
e3cf80664a33bcfe0cf58cfdbd67f2cd0b96b8695c2681e8e157f03ee584ead00c391e41058bb54efd6d124e193275bc1b60838bb70b392895cf23feb1794ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8cc43305093e4fee7779cd728fe54df4

SHA1
c9a621a03557b68b3e2a437cb6876db235bc7736

SHA256
fa5e6b5ddc32187be3da77999771adba2ba7df103b6ea946e69854ac7fb515ae

SHA512
e3cf80664a33bcfe0cf58cfdbd67f2cd0b96b8695c2681e8e157f03ee584ead00c391e41058bb54efd6d124e193275bc1b60838bb70b392895cf23feb1794ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8cc43305093e4fee7779cd728fe54df4

SHA1
c9a621a03557b68b3e2a437cb6876db235bc7736

SHA256
fa5e6b5ddc32187be3da77999771adba2ba7df103b6ea946e69854ac7fb515ae

SHA512
e3cf80664a33bcfe0cf58cfdbd67f2cd0b96b8695c2681e8e157f03ee584ead00c391e41058bb54efd6d124e193275bc1b60838bb70b392895cf23feb1794ae0

Download Submit
memory/472-74-0x000007FEECB90000-0x000007FEED6ED000-memory.dmp

Filesize
11.4MB

Download
memory/472-61-0x0000000000000000-mapping.dmp

Download
memory/472-71-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/472-88-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/524-100-0x0000000000000000-mapping.dmp

Download
memory/524-104-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/884-55-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/884-54-0x00000000001A0000-0x00000000005F2000-memory.dmp

Filesize
4.3MB

Download
memory/1088-83-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1088-86-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/1088-85-0x000007FEECB90000-0x000007FEED6ED000-memory.dmp

Filesize
11.4MB

Download
memory/1088-95-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1088-73-0x0000000000000000-mapping.dmp

Download
memory/1108-56-0x0000000000000000-mapping.dmp

Download
memory/1152-59-0x0000000000000000-mapping.dmp

Download
memory/1368-75-0x0000000000000000-mapping.dmp

Download
memory/1368-99-0x00000000003C0000-0x0000000000688000-memory.dmp

Filesize
2.8MB

Download
memory/1368-101-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/1368-110-0x0000000004D95000-0x0000000004DA6000-memory.dmp

Filesize
68KB

Download
memory/1444-106-0x0000000000000000-mapping.dmp

Download
memory/1444-109-0x000007FEECB90000-0x000007FEED6ED000-memory.dmp

Filesize
11.4MB

Download
memory/1444-114-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/1444-113-0x000007FEF34B0000-0x000007FEF4546000-memory.dmp

Filesize
16.6MB

Download
memory/1444-112-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1444-111-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1480-124-0x000007FEF34B0000-0x000007FEF4546000-memory.dmp

Filesize
16.6MB

Download
memory/1480-123-0x000000001B960000-0x000000001BC5F000-memory.dmp

Filesize
3.0MB

Download
memory/1480-122-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/1480-121-0x000007FEECB90000-0x000007FEED6ED000-memory.dmp

Filesize
11.4MB

Download
memory/1480-118-0x0000000000000000-mapping.dmp

Download
memory/1552-115-0x0000000000000000-mapping.dmp

Download
memory/1660-82-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1660-72-0x0000000000000000-mapping.dmp

Download
memory/1660-87-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1660-93-0x000000000275B000-0x000000000277A000-memory.dmp

Filesize
124KB

Download
memory/1660-84-0x000007FEECB90000-0x000007FEED6ED000-memory.dmp

Filesize
11.4MB

Download
memory/2004-58-0x0000000000000000-mapping.dmp

Download
memory/2004-65-0x000007FEECB90000-0x000007FEED6ED000-memory.dmp

Filesize
11.4MB

Download
memory/2004-70-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2004-97-0x000007FEF34B0000-0x000007FEF4546000-memory.dmp

Filesize
16.6MB

Download
memory/2004-89-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/2004-94-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/2040-64-0x000007FEECB90000-0x000007FEED6ED000-memory.dmp

Filesize
11.4MB

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download
memory/2040-98-0x000007FEF34B0000-0x000007FEF4546000-memory.dmp

Filesize
16.6MB

Download
memory/2040-69-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/2040-96-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/2040-90-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads